I keep on reading about people who think they had a properly secure password getting their crypto stolen.
Most of the commentary seems to be that these individuals have simply messed up their passwords and have somehow landed on an easily crackable password.
However, I don't really think that it's safe to just assume that there is not something else going on here, and I have a hunch that it could be related to the 'Emergency Access' feature.
As far as I can tell, when you add someone as your emergency access contact, a copy of your vault is encrypted using their public key, and that copy is stored on the LP servers. This copy is released to them if the request access, and the time is passed.
But - as far as I can tell - this means that there are two encrypted versions of your vault on the LastPass servers. One encrypted with your own password, and one with your emergency contact's password. Given that all the vaults were leaked, it's safe to say that the emergency contact ones were also leaked.
Assuming that all of the above is correct (and I am very happy to be proved wrong on any of it) then the security of your vault post-leak is determined by the weakest password from all of your emergency contacts. Which - if true - could be the way these supposedly secure vaults are getting decrypted.
